DOES THE DATA RETENTION DIRECTIVE
DEMONSTRATE A PROPORTIONATE RESPONSE TO
TERRORISM?
T. Ayhan Beydoğan
*Abstract
In response to the increasing terrorist attacks across the globe, both governmental and EU-level actions were launched, culminating with a number of legislative measures. In this regard, the Data Retention Directive entered into force in 2006, bringing out certain legal tools towards ensuring confidentiality of the communications to safeguard national security, public security and the prevention, investigation, detection and prosecution of crimes. This paper aims to discuss whether that Data Retention Directive demonstrates a proportionate response to terrorism. To this end, firstly, the so-called Directive is assessed in general and with its specific measures. Secondly, proportionality of the Directive is analyzed. Finally, some remarks will be made on the most prominent issues pertinent to data retention, e.g. blanket data retention, right to privacy, retention period, and other safeguard measures.
Öz
Dünya genelinde artış gösteren terror saldırılarına bir cevap mahiyetinde; gerek hükümet gerekse AB düzeyinde yasal tedbirler ile sonuçlanan bazı aksiyonlar gerçekleştirilmiştir. Bu kapsamda, ulusal güvenliğin ve kamu güvenliğinin korunmasını teminen iletişimin gizliliğinin sağlanması ile suçların önlenmesi, soruşturulması, tespiti ve kovuşturulmasına yönelik bir dizi hukuksal tedbir öngören Veri Saklama Direktifi 2006 yılında yürürlüğe girmiştir. Bu çalışma, Veri Saklama Direktifi’nin terrörizme karşı orantılı bir cevap ortaya koyup koyamadığını tartışmayı amaçlamaktadır. Bu amaçla, ilk olarak bu Direktif genel olarak ve özel önlemler açısından değerlidirilmektedir. Ardından, Direktifin orantılılık düzeyi analiz edilmekte ve nihayet (genel) veri saklama
yükümü, mahremiyet hakkı, veriyi saklama dönemi ve diğer koruma tedbirleri dâhil olmak üzere veri saklamaya dair en temel hususlara ilişkin değerlendirmelere yer verilmektedir.
Keywords: Data retention, proportionality, European Convention on Human
Rights, blanket data retention, right to privacy, confidentiality
Anahtar Kelimeler: Veri saklama, orantılılık, Avrupa İnsan Hakları
Konvansiyonu, veri saklama yükümü, mahremiyet hakkı, gizlilik I. INTRODUCTION
Terrorism is one of the most important problems of the contemporary world. It is a neither a new nor a temporary phenomenon. Terrorist attacks have increased world-wide and reached a peak with the 9/11, 11/3 and 7/7 attacks.1
Evidence found after these attacks revealed that terrorists used the Internet to communicate with each other and prepare their plans.2 Thus, governments as well as the European Union (EU) realized the significance of communication data in combating terrorism and embarked to take measures regarding data retention.
The European Council designated terrorism as a menace against the common values of the EU and instructed the Council to determine rules regarding the retention of communications data.3 In April 2004, after the Madrid bombings, the countries of France, UK, Sweden and Ireland offered a draft Council Framework Decision (‘draft Decision’) that includes rules regarding data retention. However, the European Parliament (EP) rejected it, claiming that it was disproportionate.4 Hereupon, the European Commission offered a draft
Directive and after long discussions, the Data Retention Directive5 (DRD) was
approved by a qualified majority.6 However, discussions about the
proportionality of the DRD are still on the increase.
1 These refer to the Sep. 11, 2001 attacks in the U.S., the Mar. 11, 2004 attacks in Spain, and the
Jul. 7, 2005 attacks in the U.K.
2 Clay Wilson, C
OMPUTER ATTACK AND CYBER TERRORISM:VULNERABILITIES AND POLICY ISSUES FOR CONGRESS 12 (CRS Report for Congress, 2003), available at http://www.law.umaryland.edu/ marshall/crsreports/crsdocuments/RL32114.pdf (last visited Apr.12, 2010).
3 European Council, Declaration on Combating Terrorism, Mar. 25, 2004, at 4, available at
http://www.libertysecurity.org/article16.html (last visited Apr. 12, 2010).
4 Gareth Davies and Gayle Trigg, Being Data Retentive: A Knee Jerk Reaction, COMMUNICATIONS
LAW, Volume 11(1) (2006), at 18.
5 European Council Directive 2006/24/EC, 2006 O.J. (L 105) 54 [hereinafter ‘DRD’].
6 Irish and Slovak delegations voted against the directive. See Press Release, European Court of
Justice, Press Release No 11/09, Judgment of the European Court of Justice iğn Case No. 301/06, Case of Ireland v. Parliament and Council (10 February 2009), available at
In this context, this paper aims to discuss whether the DRD demonstrates a proportionate response to terrorism. To achieve this goal, firstly, the DRD will be assessed. Later, proportionality of the DRD will be analyzed. Finally, some remarks will be made on the issue of data retention.
II. DATA RETENTION DIRECTIVE A. General Framework of the DRD
Europe adopts privacy, the “right to be let alone,”7 as a political imperative
anchored in fundamental human rights.8 The EU Treaty provides that the EU
shall respect fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR).9 Article 8
of the ECHR constitutes the basis for the protection of individual privacy at the EU level.10 According to the ECHR, everyone has the right to respect for his private and family life, his home and his correspondence; this right cannot be interfered with by any public authority unless it is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others and is in conformity with the law.11 It means first that the measure to be taken by the Member States must be proportionate to the legitimate goals pursued and that no other means less intrusive will exist. It means also that the measures have to be considered as legitimate taking fully into account the very democratic nature of the ECHR Signatory States. Furthermore, the European Court of Human Rights (Court) expressed in the Malone12 and Sunday Times13
cases that the existence of a law is not adequate; a law that interferes with privacy must also be accessible and foreseeable.
Likewise, the Data Protection Directive14 (DPD) secures the rights and
freedoms of natural persons regarding the processing of personal data and
http://www.statewatch.org/news/2009/feb/eu-ecj-ireland-datret-judgment-prel.pdf (last visited Sep. 5, 2010).
7 Thomas M. Cooley, L
AW OF TORTS 29 (2nd ed., Callaghan and Company, 1888).
8 Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38H
OUSTON L.REV. 717, 731 (2001).
9 Treaty of the European Union, art. 6, 2010 O.J. (C 83) 15.
10 Paul De Hert, Balancing Security and Liberty within the European Human Rights Framework.
A Critical Reading of the Court’s Case Law in the Light of Surveillance and Criminal Law
Enforcement Strategies after 9/11, 1 UTRECHT L.REV. 68, 70 (2005).
11 Council of Europe, European Convention of Human Rights, art. 8, Nov. 4, 1950, ETS No. 5. 12 Malone v. UK, App. No. 8691/79 (Eur. Ct. H. R., Aug. 02., 1984), para. 66.
13 Sunday Times v. UK, App. No. 6538/74 (Eur. Ct. H.R., Apr. 26, 1979) para. 49. 14 European Council Directive, 95/46/EC, 1995 OJ (L 281) 31 [hereinafter DPD].
particularly their right to privacy. Besides, the Electronic Privacy Directive15
(EPD) determines the rules about the processing of traffic and location data. According to the EPD, communications data may only be stored for a limited time and only for the purpose of billing and interconnection payments, so this data must be erased or made anonymous when it is no longer needed.16 The
European Parliament, after the 9/11 attack, adopted a last-minute amendment to the EPD17 that allows Member States to restrict the rights and obligations
regarding traffic and location data as well as the confidentiality of the communications to safeguard national security, public security and the prevention, investigation, detection and prosecution of crimes. However, these restrictions must be necessary, appropriate and proportionate in conformity with a democratic society and fundamental rights, as guaranteed by the ECHR.18
Although many commentators have regarded data retention as an interference with the fundamental rights and opposed to DRD,19 the EU, taking into consideration the increasing threat of terrorism, adopted it.
B. Main Provisions of the DRD
The DRD attempts to harmonize the obligations of the service and network providers of Member States regarding the retention of certain data which is generated or processed by those providers so as to ensure that the data is available for the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.20 The DRD excludes data that
reveals the content of communications21 and covers traffic and location data22 as
well as unsuccessful call attempts23 needed to identify the subscriber or
registered user.
The retained data can only be provided upon request to the competent national authorities without undue delay24 in specific cases and each Member
State must establish the procedures and conditions of access to this retained data in accordance with the necessity and proportionality requirements25 in such a
15 European Council Directive, 2002/58/EC, 2002 OJ (L 201) 37 [hereinafter EPD]. 16 Id., art. 6
17 Ian J. Lloyd, I
NFORMATION TECHNOLOGY LAW 58 (4th ed., Oxford University Press, New York, 2004).
18 EPD, supra note 15, art. 15.
19 Monica Vilasau, Traffic Data Retention & Data Protection: The New European Framework, 13
COMP. AND TELECOM.L.REV.59(2007).
20 DRD, supra note 5, art. 1(1). 21 Id., art. 5(2).
22 Id., art. 1(2). 23 Id., art. 3(2). 24 Id., art. 8.
way that the access must be limited strictly in the case of serious offences defined under the national laws.
Moreover, the data needed to trace and identify the source, destination, date, time, duration and type of communication must be retained26 for a 6-24 months
period27 which can also be extended.28 At the end of this period, the data should
be destroyed.29
Furthermore, the retained data should be of the same quality and subject to the same security so as to be solely accessed by specially authorized personnel.30 Each Member State should assign a public authority to
independently monitor the implementation regarding the security of the stored data.31 National legislation must contain provisions of criminal law regarding
violations of the domestic rules transposing the DRD.32
National legislation had to be in compliance with the DRD by 15 September 2007. However, provisions concerning the retention of Internet data could be deferred until 15 March 2009.33 Each Member State must provide statistics to the Commission about the retained data on a yearly basis34 and the Commission
was to present an evaluation to the European Parliament and Council about the application and effects of the DRD by 15 September 2010.35
III. PROPORTIONALITY OF THE DIRECTIVE
Proportionality is one of the requirements that must be met in order to justify any interference with privacy.36 In the Dudgeon case, the Court stated that a
restriction on a right cannot be regarded as necessary in a democratic society unless it is proportionate to the legitimate aim pursued.37 Besides, the EPD
allows data retention measures where necessary, appropriate and proportionate within a democratic society.38 Similarly, DRD refers to the necessity and
26 Id., art. 5. 27 Id., art. 6. 28 Id., art. 12(1). 29 Id., art. 7(d).
30 DRD, supra note 5, art. 7. 31 Id., art. 9.
32 Id., art. 13. 33 Id., art. 15. 34 Id., art. 10. 35 Id., art. 14.
36 Francesca Bignami, Protecting Privacy Against the Police in the European Union: The Data
Retention Directive, 8 CHI.J.INT’L L. 233, 242 (2007). .
37 Dudgeon v UK, App. No. 7525/76 (Eur. Ct. H. R., Oct. 22, 1981) para. 53.
38 Abu Bakar Munir and Siti Hajar Mohd Yasin, Retention of Communications Data: A Bumpy
proportionality requirements. Despite the emphasis on ‘proportionality,’ the term is not defined in the EPD but its definition is devolved to the Member States.
In the UK, proportionality depends on three criteria: the degree of intrusion, strength of the public policy justification and the adequacy of the safeguards.39
Furthermore, in Germany, in order to be proportional, the means used should be suitable, necessary and reasonable.40 In contrast, in Canada, a non-EU state,
proportionality requires a showing that the means preferred to attain the objectives are reasonable and demonstrably justified.41
It is believed that ‘necessity’ and ‘reasonableness’ are the minimum conditions and ‘clarity of laws’ and ‘sufficiency of safeguards’ are of great importance so as to provide proportionality. Therefore, the main provisions of the DRD will be assessed according to these points in order to clarify whether the DRD establishes a proportionate response to terrorism.
A. Blanket Data Retention
The DRD mandates that network and service providers retain traffic and location data of individuals and legal entities.42 This provision emanates from allegations of law enforcement authorities that retention of traffic and location data of all individuals and legal entities are vital for tracing, locating and arresting criminals, including terrorists.43 However, it is believed that this
provision is obviously disproportionate and does not meet the requirement of necessity expressed by the Art. 8 of the Convention: “necessary in a democratic society.”
Firstly, governments have not adequately demonstrated that the absence of blanket data retention is detrimental to the public interest.44 Also, they were
39 Ryan Christopher Hansen, Data Preservation: An Effective Approach to Combating Internet
Crime in the U.K. (2003) at http://ssrn.com/abstract=947371 (last visited Sep 5, 2010).
40 Paul M. Schwartz, German and U.S. Telecommunications Privacy Law: Legal Regulation of
Domestic Law Enforcement Surveillance, 54 HASTINGS L.J. 751, 771 (2003).
41 Murray Gleeson, Chief Justice of Australia, Global Influences on the Australian Judiciary,
Address at the Australian Bar Association Conference, Paris, (Jul. 8. 2002), available at http://www.hcourt.gov.au/speeches/cj/cj_global.htm (last visited Apr. 12, 2010).
42 DRD, supra note 5, art. 1(2).
43 Caroline Goemans and Jos Dumortier, Enforcement Issues – Mandatory Retention of Traffic
Data in the EU: Possible Impact on Privacy and On-line Anonymity, in DIGITAL ANONYMITY AND
THE LAW:TENSIONS AND DIMENSIONS 166 (C. Nichols, J. E. J. Prins. and M. J. M. van Dellen, eds., Cambridge University Press, 2003).
44 Diane Rowland, Data Retention and the War Against Terrorism – A Considered and
unable to bring provide any evidence proving that retention of everybody’s data on such a large-scale is necessary.45
Secondly, they could not demonstrate that blanket retention is the only feasible option for combating terrorism.46 Moreover, there is a less invasive
alternative – the data preservation (quick freezing) method – available for law enforcement to attain the same objectives.47 In that method, the data retained by
the providers for their own purposes like billing is used.48 The police can ask
providers to store a suspect’s communications data and access the stored data after having obtained a warrant.49 This method was proposed by the European
Data Protection Supervisor (EDPS) instead of blanket retention but it was disregarded.50 It is obvious that this method is better than blanket retention in
terms of privacy because it affects not entire but limited number of individuals and data.51
In addition, the European Parliament has stated that blanket data retention must be prohibited, because it is contrary to the proportionality principle.52 Besides, blanket retention contradicts the Convention on Cybercrime, which is signed by all EU Member States. According to the Convention, data relevant to a criminal investigation can be retained only on a selective basis.53 Furthermore, the Data Protection Working Party (DPWP) has expressed a view that blanket retention is disproportionate, because it provides authorities with the chance to detect all an individual's movements, information sources and spending.54
45 DPWP, Opinion on the draft Framework Decision, 09.11.2004, p.4 [hereinafter DPWP Opinion
of Framework], 11885/04/EN, WP 99, available at http://ec.europa.eu/justice_home/fsj/privacy/ docs/wpdocs/2004/wp99_en.pdf (last visited Sep. 5, 2010).
46 Covington & Burling, M
EMORANDUM OF LAWS CONCERNING THE LEGALITY OF DATA RETENTION WITH REGARD TO THE RIGHTS GUARANTEED BY THE EUROPEAN CONVENTION ON HUMAN RIGHTS 10 (Privacy International, 2003).
47 Vilasau, supra note19, at 54.
48 Michael D. Birnhack and Niva Elkin-Koren, The Invisible Handshake: The Reemergence of the
State in the Digital Environment, 8 VA J.L.TECH. 6, 97 (2003).
49 Bignami, supra note 36, at 16.
50 European Commission, Opinion of the European Data Protection Supervisor on the Proposal
for a Directive of the European Parliament and of the Council on the Retention of Data Processed in Connection with the Provision of Public Electronic Communication Services and Amending Directive 2002/58/EC (COM(2005) 438 final),2005 OJ (C 298) 1, at 4 [hereinafter
‘EPDS Opinion’].
51 Judith Rauhofer, Just Because You’re Paranoid, Doesn’t Mean They’re Not After You:
Legislative Developments in Relation to the Mandatory Retention of Communications Data in the
European Union, 3 SCRIPT-ED 322, 340 (2006), at
http://www.law.ed.ac.uk/ahrc/script-ed/vol3-4/rauhofer.pdf (last visited Apr. 12, 2010).
52 European Parliament, Strategy for Creating a Safer Information Society, 2002 OJ (C 72E),
para. J.
53 Council of Europe, Convention on Cybercrime, art. 16-17, Oct. 23, 2001, ETS No. 185. 54 Goemans and Dumortier, supra note 43, at 178.
Moreover, in the Rotaru case, Judge Wildhaber stated that “…states do not enjoy unlimited discretion to subject individuals to secret surveillance or a system of secret files. The interest of a State in protecting its national security must be balanced against the seriousness of the interference with an applicant's right to respect for his or her private life.”55
Therefore, it is ambiguous whether blanket retention can be implemented in a Member State. For instance, in Germany, the Constitutional Court declared unconstitutional the Public Security and Order Act for Lower Saxony that authorised the police to store communication data of persons who may commit serious criminal offences; this was based on the fact that the court considered the law to not be proportionate.56
Taking into account the inadequacy of evidence provided by law enforcement authorities, the existence of alternative methods and the framework drawn by the precedents, blanket retention cannot be considered to be necessary in a democratic society and adopted as proportionate.
B. Retained Data
According to the DRD, traffic and location data57 concerning fixed network
telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony58 as well as unsuccessful call attempts,59 must be retained.
The purpose of this data retention provision is to identify the subscriber or registered user.60 However, it is equivocal whether or not these data can always
clearly identify the suspects or criminals. Some commentators61 and EDPS have
stated that this data is not always linked to a specified individual, so a telephone number or an IP address does not necessarily reveal the identity of an individual.62
Furthermore, technology also justifies these views. For instance, to connect a network via WiFi makes the location data useless and prevents law enforcement authorities from tracing an individual from such data.63 Besides, peer-to-peer
systems permit sharing information between peers without the intervention of a central server and some of these services use other computers to permit
55 Rotaru v. Romania, App. No. 28341/95 (Eur. Ct. H.R., May 04, 2000). 56 Rauhofer, supra note 51, at 335.
57 DRD, supra note 5, art. 1(2). 58 Id., art. 5.
59 Id., art. 3(2). 60 Id., art. 1(2).
61 Rauhofer, supra note 51, at 340. 62 EPDS Opinion, supra note 50, at 4. 63 Davies and Trigg, supra note 4, at 20.
communication between computers behind firewalls; thus, identification of users becomes almost impossible.64 Moreover, nowadays several organizations
set up virtual private networks (VPN) so as to provide safer communications. For instance, an individual can use Google VPN without worrying about data retention.65 Also, a subscriber or user becomes anonymous when an individual
accesses an ISP's network from an Internet cafe66 or uses an anonymizer proxy67
or wields special programs that obtain fake IP addresses, block cookies and change their browsers to mask any personal information.68
It is clear that those engaged in terrorism apply these methods to keep their communications from being retained. Thus, retention of these data may not be able to provide law enforcement agencies with the opportunity to achieve the aim pursued. Therefore, it is considered that retention of all this data is not reasonable and accordingly proportionate.69
In addition, some of this data does not serve the actual needs of law enforcement authorities. For example, the DRD stipulates retaining the date and time of the log-in and log-off of the Internet e-mail service to be able to identify the date, time and duration of a communication.70 However, an individual may log-in and log–off the service every few minutes merely to check for new e-mails or send an e-mail after hours. It is believed that no useful information can be derived by retaining this data and the retention of the date and time data of each e-mail would be more useful.71
Moreover, the DRD requires providers to retain the “user ID(s)” and “name and address of the subscriber or registered user to whom an IP address allocated.”72 However, many corporations that allocate millions of e-mail
addresses, like Google, and regional internet registries, except RIPE NCC that is in Europe, that allocate IP addresses73 are not subject to EU legislation. It is
64 Goemans and Dumortier, supra note 43, at 168.
65 Wikipedia, Telecommunications Data Retention, at http://en.wikipedia.org/wiki/
Telecommunications_data_retention (last visited Apr. 12, 2010).
66 Davies and Trigg, supra note 4, at 20.
67 Wikipedia, Telecommunications Data Retention, at http://en.wikipedia.org/wiki/
Telecommunications_data_retention (last visited Apr. 12, 2010).
68 Laura K. Donohue, Anglo-American Privacy and Surveillance, 96 J. C
RIM.L.&CRIMINOLOGY 1059, 1183 (2006).
69 Id.
70 DRD, supra note 5, art. 5(1)(c)(2).
71 Eleni Kosta, Data Retention Directive: What the Council Cherishes, the Privacy Advocates
Reject and the Industry Fears, PROCEEDINGS OF THE 45TH FITCECONGRESS -TELECOM WARS:
THE RETURN OF THE PROFIT 209, 209-14 (Athens, 30 August – 2 September 2006).
72 DRD, supra note 5, art. 5(1)(a)(2).
73 See Internet Assigned Numbers Authority, at http://www.iana.org/numbers/(last visited Apr.
clear that terrorists are aware of these facts and therefore use services of parties that are not subject to EU legislation. In this context, it is considered that retention of this data is not proportionate because it does not serve the aim pursued.
C. Retention Period
Retention period is one of the most moot issues. According to the EPD, traffic data can only be retained for billing and interconnection payments purposes.74 The draft Decision suggested retaining data up to three years.
However, the European Parliament rejected that, stating that any rules imposed must be proportional to any threat75. Also, many commentators found that
period excessive and disproportionate.76
In reply to criticism, the Commission suggested retaining data for fixed and mobile electronic communication services for a period of one year and electronic communications using the Internet protocol for a period of six months. This proposal has been found generally satisfactory by the EP, EDPS and DPWP.77 However, after discussions in the Council, the retention period was lengthened. According to the DRD, the data listed in Article 5 must be retained for a period not less than six months and more than two years from the date of the communication.78
This period was found unacceptable and disproportionate for several reasons. To begin with, law enforcement authorities could not provide any persuasive evidence that they need data more than six months after the event. Only a study by the UK police was submitted to demonstrate that traffic data up to one year old may be needed by law enforcement agencies. However, this study clearly showed that 85% of the traffic data needed by the police was less than six months old.79 The EDPS and DPWP appraised the evidence for longer
retention to be insufficient.80 Also, a survey made by Erasmus University
revealed that most of the traffic data requested by Dutch police in serious investigations is not older than three months old.81 Moreover, analyses made by
telecommunication companies in Europe indicated that the largest amount of
74 EPD, supra note 15, art. 6. 75 See Davies and Trigg, supra note 4. 76 Bignami, supra note 36, at 247. 77 Id.
78 DRD, supra note 5, art. 6.
79 EPDS Opinion, supra note 49, at 4. 80 Bignami, supra note 36, at 243.
81 European Digital Rights, Dutch Study Fails to Prove Usefulness and Necessity Data Retention,
data requested by law enforcement was not older than six months.82
Furthermore, no party could provide any evidence demonstrating that data older than one year is routinely requested and used by law enforcement agencies. Thus, the European Data Protection Commissioners expressed the view that systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate.83
In addition, the DRD permits Member States to extend the maximum retention period in “particular circumstances.” 84 However, the envisaged
‘particular circumstances’ are not clarified and their meaning is devolved to the Member States. In Ireland, providers retain data for a period of three years for specific purposes and disclose them when asked. Poland has introduced mandatory data retention for fifteen years in order to effectively prosecute corruption;85 it is considered that ambiguity of this clause provides the MS the opportunity to legitimize their current legislations and may pave the way for more disproportionate cases.
As a result, it is believed that the 2 year retention period is not reasonable and proportionate due to a lack of evidence supporting such a long time period.
D. Ambiguities in the DRD 1. The term “serious crime”
The draft Decision allowed the retention of data in order to not only investigate and prosecute but also impede all types of crimes. Nevertheless, in the first draft of the DRD, the crimes combated were limited to “serious criminal offences, such as terrorism and organized crime.” Later, due to the strong opposition of the European Parliament, the DPWP and data protection advocates, crime prevention was made separate from the use of data limited to ‘serious crimes.’86 The EDPS87 and DPWP88 highlighted the uncertainty of
‘serious crime’ and requested clarification of it in order to hinder potential disproportionalities that may emanate from different practices in the Member States, but the DRD did not describe it and left it to the Member States. Nevermore, the demands of the Director of the German Chapter of the International Federation of Phonogram and Videogram Producers to make
82 DPWP Opinion of Framework, supra note 44, at 4. 83 Id. at 5.
84 DRD, supra note 5, art. 12(1). 85 Kosta, supra note 71, 209-14. 86 Bignami, supra note 36, at 242. 87 EPDS Opinion, supra note 50, at 7.
88 DPWP, Opinion on the Directive 2006/24/EC, 25 Mar 2006, at 3[hereinafter DPWP Opinion],
654/06/ENWP 119, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/ wp119_en (last visited Sep. 5, 2010).
retained data available for civil-law disclosures for tracing file sharers obviously illustrated how the definition of ‘serious crime’ can be stretched89 and
demonstrated the necessity to clarify this term.
2. Parties that can access to retained data
The DRD does not expressly designate the parties that can access retained data. It states that retained data must be provided only to competent national authorities in specific cases and in conformity with national law.90 The data
must be transmitted upon request to the competent authorities without undue delay.91 However, the DRD did not define the term ‘competent authorities’ but
devolved it to Member States for definition. Besides, the call of the DPWP to make public the list of competent authorities has been overlooked.92
Furthermore, the DRD is ruling that providers must take proper technical and organizational measures that enable only specially-authorized personnel to access retained data.93 However, there is no definition of ‘specifically authorized personnel’ in the DRD. The DPWP offered to logically separate the systems for storage of data for public order purposes and for business purposes, but this proposal was disregarded. The uncertainty of the terms ‘competent authorities’ and ‘specifically authorized personnel,’ coupled with the uniqueness of the databases may engender disproportionate implementations in the Member States.
E. Safeguard Measures
The DRD did not stipulate the procedures and conditions of gaining access to retained data but devolved it down to the Member States. Each state, in accordance with the necessity and proportionality requirements, must regulate this issue in its national law.94
It is obvious that substantial amounts of data will be stored in the databases of providers and this data will attract various parties. For instance, law enforcement authorities may attempt data-mining based on retained data or providers may attempt to use these data for business purposes.95 Also, it is
worth noting that the US government has amazingly declared its interest to gain access to the data that will be retained according to the DRD.96 Besides, it has
89 Kosta, supra note 71, 209-14. 90 DRD, supra note 5, art. 4. 91 Id., art. 8.
92 See DPWP Opinion, supra note 87. 93 DRD, supra note 5, art. 7(c). 94 DRD, supra note 5, art. 4.
95 See DPWP Opinion, supra note 87. 96 Kosta, supra note 71, 209-14.
recently been revealed that the FBI improperly and illegally obtained and used personal information of people that live in the US.97 All these facts illustrate the
need for strong safeguard measures.
Furthermore, in the Klass case, the Court expressed that the rule of law requires that interference with individual rights by executive authorities should be subject to effective control and the Court must be satisfied that there exist adequate and effective guarantees against abuse.98 Moreover, the Court, in the Foxley case, found that the interception of a bankrupt person’s mail violated
Article 8 of the ECHR due to the absence of sufficient and effective safeguards to ensure minimum impairment of the right to privacy.99 It can be inferred from
the case law that for a measure interfering rights to be proportional, the Member State must put in place sufficient and influential safeguards.
IV. CONCLUSION
Terrorism is a threat against global peace and security. Therefore, official authorities must take political, economic and legal measures to combat terrorism. The DRD is one of these measures that aims to help this purpose by retaining communications data of legal entities and natural persons. However, it is still substantially debated if it demonstrates a proportionate response to terrorism.
The DRD envisages the use of blanket data retention methods. Nevertheless, the lack of evidence demonstrating the need for blanket retention and the existence of less invasive alternatives prove that blanket retention is not a necessity. Besides, the DRD charges providers to retain large amounts of data to identify suspects and criminals. However, retention of this data may not be able to reveal the identities of individuals due to the use of technological tools that conceal the identities by making communications anonymous. Moreover, the DRD stipulates retention of the data for a period of 6-24 months. This period is considered to be unreasonable because official authorities and providers could provide no evidence that data older than one year is required and routinely used by law enforcement agencies in criminal investigations. Furthermore, the DRD does not clarify some critical terms like ‘serious crimes’ and ‘competent authorities’ but instead devolves this responsibility to the Member States. However, it is believed that various perceptions of the Member States may pave the way for undesirable consequences when construing these terms.
97 MSNBC. Justice Department: FBI Acted Illegally on Data, Apr. 15, 2007, at
http://www.msnbc. msn.com/ id/11100916/ (last visited Apr. 12, 2010).
98 Klass and Others v. Germany, App. No. 5029/71 (Eur. Ct. H.R., Sep. 06, 1978) para.50, 55. 99 Foxley v. UK, App No. 33274/96, (Eur. Ct. H.R., Jun.20, 2000) para. 43.
In respect of the safeguard measures within the context of ensuring proportionality, the crimes that are serious must be specified, the parties that can access to retained data must be restricted and defined, the authorization for relevant parties to gain access to and use retained data must be left to legal authorities,100 while transparent and effective supervision mechanisms should be
designed by the Member States in their national laws.101
In conclusion, it is obvious that law enforcement authorities in the EU have the responsibility to fight against terrorism by using all effective means. However, as the Court noted in the Klass case, states, in the name of the struggle against terrorism, may not apply whatever measures they deem appropriate. Therefore the Member States, before all else, must respect and be loyal to the values on which the EU is founded and therefore have to reassess the DRD since the DRD does not meet the criteria of necessity and reasonableness and constitute a disproportionate response to terrorism.
100 EPDS Opinion, supra note 50, at 8. 101 Munir and Yasin, supra note 38, at 747.
BIBLIOGRAPHY
Bignami, Francesca, Protecting Privacy Against the Police in the European
Union: The Data Retention Directive, 8 CHICAGO JOURNAL OF
INTERNATIONAL LAW 233 (2007).
Birnhack, Michael D. and Niva Elkin-Koren, The Invisible Handshake: The
Reemergence of the State in the Digital Environment, 8 VIRGINIA JOURNAL OF
LAW AND TECHNOLOGY 6 (2003).
Cooley, Thomas M., LAW OF TORTS (2nd ed., Callaghan and Company, 1888). Covington & Burling, MEMORANDUM OF LAWS CONCERNING THE LEGALITY OF DATA RETENTION WITH REGARD TO THE RIGHTS GUARANTEED BY THE
EUROPEAN CONVENTION ON HUMAN RIGHTS 10 (Privacy International, 2003). Davies, Gareth and Gayle Trigg, Being Data Retentive: A Knee Jerk Reaction, COMMUNICATIONS LAW, Volume 11(1) (2006).
De Hert, Paul, Balancing Security and Liberty within the European Human
Rights Framework: A Critical Reading of the Court’s Case Law in the Light of Surveillance and Criminal Law Enforcement Strategies after 9/11, 1 UTRECHT
LAW REVIEW 68 (2005).
Donohue, Laura K., Anglo-American Privacy and Surveillance, 96 JOURNAL OF
CRIMINAL LAW &CRIMINOLOGY 1059 (2006).
Gleeson, Murray, Chief Justice of Australia, Global Influences on the
Australian Judiciary, Address at the Australian Bar Association Conference,
Paris, (Jul. 8. 2002).
Goemans, Caroline and Jos Dumortier, Enforcement Issues – Mandatory
Retention of Traffic Data in the EU: Possible Impact on Privacy and On-line Anonymity, in DIGITAL ANONYMITY AND THE LAW: TENSIONS AND
DIMENSIONS 166 (C. Nichols, J. E. J. Prins. and M. J. M. van Dellen, eds.,
Cambridge University Press, 2003).
Hansen, Ryan Christopher, DATA PRESERVATION: AN EFFECTIVE APPROACH TO COMBATING INTERNET CRIME IN THE U.K. (2003).
Kosta, Eleni, Data Retention Directive: What the Council Cherishes, the
Privacy Advocates Reject and the Industry Fears, PROCEEDINGS OF THE 45TH
FITCECONGRESS -TELECOM WARS:THE RETURN OF THE PROFIT 209 (Athens,
30 August – 2 September 2006).
Lloyd, Ian J., INFORMATION TECHNOLOGY LAW (4th ed., Oxford University
MSNBC. Justice Department: FBI Acted Illegally on Data, Apr. 15, 2007, at http://www.msnbc. msn.com/ id/11100916/ (last visited Apr. 12, 2010).
Munir, Abu Bakar and Siti Hajar Mohd Yasin, Retention of Communications
Data: A Bumpy Road Ahead, 22 JOHN MARSHALL JOURNAL OF COMPUTER &
INFOMATION LAW 731 (2004).
Rauhofer, Judith, Just Because You’re Paranoid, Doesn’t Mean They’re Not
After You: Legislative Developments in Relation to the Mandatory Retention of Communications Data in the European Union, 3 SCRIPT-ED 322 (2006). Reidenberg, Joel R., E-Commerce and Trans-Atlantic Privacy, 38 HOUSTON
LAW REVIEW 717 (2001).
Rowland, Diane, Data Retention and the War Against Terrorism – A
Considered and Proportionate Response?, THE JOURNAL OF INFORMATION, LAW AND TECHNOLOGY, 2004(3).
Schwartz, Paul M., German and U.S. Telecommunications Privacy Law: Legal
Regulation of Domestic Law Enforcement Surveillance, 54 HASTINGS LAW
JOURNAL 751 (2003).
Vilasau, Monica, Traffic Data Retention & Data Protection: The New
European Framework, COMPUTER AND TELECOMMUNICATIONS LAW REVIEW, Volume 13(2), 2007.
